[Top] [All Lists]

Re: Requesting comments on draft-cheney-safe-02.txt

2009-08-08 12:05:48

Cheney, Edward A SSG RES USAR USARC wrote:


Users can only be protected from themselves through adherance to
policies, procedures, and relevant training.  That is leadership
solution and not a technology solution.  Protecting user from themselves
does not solve exploitable weaknesses in technology.  In these cases you
have to simply fix the technology to disallow exploitation.  If this
were not so software companies would not spend millions of dollars to
continually patch their products if administrators and management could
so easily retrain their users.

But what about market forces?

One of your concerns is embedded software backend communications, i.e. cross domain xtalk unbeknowst to the users with embedded plugins like the following:

    - Flash
    - Quicktime
    - Real Player
    - Silverlight
    - Windows Media Player (WMP)

All of these players (including Apple, Google, AT&T, ComCast and so on) have a major strategy to add MORE background communications in their designs to "network" users and also build their BI for added value services (direct marketing, social networking).

AJAX is been relaxed for cross domain requests as well as IE already allows with user authorization.

I know of only of WMP and Flash having domain whitelist for cross domains xtalk. That is one of the big features in Flash 9.

I understand what you mean. Do you realize we have a 15 year old that is among the decision makers in how FireFox and Javascript is evolving? He is also the author of jQuery. Its scary to see this guy in action exhibiting lack of social ethical engineering understanding at times. I tried to provide some insight about all this - beware of what you wanting to do.

But its really too late.

What I have trouble seeing is how SMTP will help.  But you have two parts:

   - Some authorization protocol using SMTP (i think), that
     is coupled with,

   - Prohibition of existing Interactive methods, i.e. DOM

I don't see how the two is related or why DOM events can no longer be used.

You are not going to stop DOM events, or even get people to consider not using it. So if that is a major part of SAFE, you already have a major road block in getting people interested in SAFE. Never mind the technical issues related to a SMTP callback system especially one that will be based on HTTP huge redundancy in HTTP requests.


Hector Santos

<Prev in Thread] Current Thread [Next in Thread>